ConfigServer Community Forum

Use the following to block WordPress XMLRPC and WP-login attacks. Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf # XMLRPC if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) { return ("WP XMLPRC...

will this block any attacks on joomla and opencart admin and administrator folders? or will it block legitimate customers too? # ADMIN FOLDER if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(\/admin).* (200|401)/)) { return ("admin folder",$1,"ADMINFOLDER",&quo...

Reinstalled fresh copy on Directadmin server. May be that their update causing it. Will have to look into it a bit more

Main Process: Unmatched [ in regex; marked by <-- HERE in m/[ <-- HERE Thu (Unknown)/ at /usr/sbin/lfd line 7793, <$lffd[...]> line 12

Get this error not sure what it is.

Keep having to restart lfd every hour on one server

wrt to this post I assume this would be correct then? #mod_security v2 (apache on DirectAdmin host) if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]...

yea on all our servers I am noticing lfd keeps crashing and appears on our monitoring. We keep having to start it on random servers every few hours.

Must be new update causing this as it has been running for years fine

In my opinion both have their benefits. But Imunify360 has more features that CSF. CSF is just a firewall whereas Imunify360 has malware scanner, proactive scanner, etc. However If you purchase CXS and use CSF alongside they are quite similar. Imunify360 has a monthly plan where you need to pay each...

Something strange is happening. This rule used to work but not its not stopping attacks: # WP-LOGINS if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) { return ("Get lost please",$1,"WPLOGINorWHATEVER","5",&qu...

Something strange is happening. This rule used to work but not its not stopping attacks: # WP-LOGINS if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) { return ("Get lost please",$1,"WPLOGINorWHATEVER","5",&quo...

Hey guys! I'm using this regex to block attemps to get into xmlrpc.php file. It works great, unfortunately it only works for the root domain folder. if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST|HEAD) \/+xmlrpc\.php.*" /)) { return ("WP XMLPRC Attack&q...